I noticed that Schneier wrote a bit on choosing passwords and gets into some detail on how to secure a password based on some of the techniques used to crack passwords.

His specific advice is:

“…if you want your password to be hard to guess, you should choose something not on any of the root or appendage lists. You should mix upper and lowercase in the middle of your root. You should add numbers and symbols in the middle of your root, not as common substitutions. Or drop your appendage in the middle of your root. Or use two roots with an appendage in the middle.”

While I certainly do agree with the validity of this advice, if you are an administrator, I wouldn’t recommend telling users to “drop their appendages in the middle of their roots.” Here’s some more practical advice: tell them to choose long passwords.

Long passwords–say 15 to 20 characters–address many password insecurity issues. Consider, for example:

• There are very few words or names longer than 12 characters and those that are longer certainly are not common.
• There are very few passwords over 8 characters on most of the widely-available common password lists.
• It is very unlikely to see a word more than 20 characters on ANY wordlist
• Most rainbow tables never go beyond 8-10 character passwords
• Windows does not store LanMan hashes for passwords longer than 14 characters
• Longer passwords make a pure brute force attack extremely time consuming and processor intensive. I imagine that the heat alone generated for a processor to crack a 20-character mixed set password would be enormous.
• Often, very long passwords can make up for weaknesses in specific encryption algorithms or password protection schemes.
• When used correctly, long passwords can be just as easy to remember as shorter passwords and easier to remember than short totally random passwords.

I decided to come up with a list of strong passwords that I think most people could memorize with little or no effort and type quickly without errors:

1. Bronco’s going shopping
2. $3 for the pirate hat
3. taxes-for-Ponies.gov
4. Professor Fartsmart?
5. salami4sandwiches.net

Notice that each of these passwords is at least 20 characters long, use at least 3 character sets each, yet I bet few users would be intimidated having to use passwords like these.
I also predict these passwords would hold up quite well against most of the cracking tools out there. Anyone want to give it a try?

Related posts

• No related posts.